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(5 7) Abstract: 

PROBLEM TO BE SOLVED: To minimize DDoS attack 
countermeasure processing in a network, to perform necessary 
processing, to provide a plan for obtaining an effect, to expand a 
processing range even to other ISPs and to apply accurate 
processing even to an attack packet that flows in from the other 
ISPs. 

SOLUTION: Exit lines 1 5 to 1 7 on a server side of an edge router 1 
in an ISP to which servers 9 to 1 1 to be a protection target, lines 
18 and 19 on a user terminal side of each edge router 2 in a self- 
ISP 6 that houses user terminals 12 to 14, and lines 20 and 21 to 
other ISPs 7 and 8 of a border router 3 are selected. In processing 
at a normal time, a threshold for the maximum traffic of a TCP-SYN 
that can accept a server to be protected is set in advance to 
perform monitoring. When traffic exceeds the threshold, a part that 
exceeds the threshold is filtered, and the address of the server and 
the threshold are notified to ail subscriber housing edges and all 
border routers in the same ISP. 
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itmm i ] 

I DCrtWt-^v'^TCP- SYN — Flood 
A*b«Bi"5fc«>, B£ I DC*5»jBtSix"CV^S I S PM 
Wxy^-^tt, R I DC«]05ttlPlHl»^T, ttif— 
destination addres si: 
tSTCP-SYN/^y h(7^ t y ^ left L~C Mil 

U 

address £riifcnL, 

%m i s p fcttR#«w>r ^a:— ^ic-cgsr^tt- 

f£tf— /u— *J±. to I SP-w*'-^ 
— ^»CttB*l*5J:t«K*— -'^v'^a d d r e s s £ 

& fa is Ltoa-r * - 1 <^ sswifcsw— tr * tars 

IfM^f 2] 

mils I DC//«^HTV^ I SPfflox r ^^ 
tttt ibftS TCP- S YNcoilr*: h7t-^ oMIfiSrSS: 

[SS#13] 

if — /WS/y^: destination addres 
s itSTCP-SYN^S' h(7) h: ^(CttL 

5S I SP»^'7^-^^ 

dress IT, BUsE ISP <DfcttW<0>( > 

d d r e s stittRSrfiWLT, (0& I S P^bS I S P CO 
~ yu— ^ «]<£>>< > * — 7 ^ — x TKBBfi 

g I SPlW^7^-^l^ I DCF*Wf$fl>tf&T* 
&>£U— x<-r^V^(7)tfcSPlHlj||tc:T, BHJ— yW*»-£ 
destination addres sfctSTCP 
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fei^^^i:RHIi:St-^'>yi/)a d d 
r e s sW«&iifc-r6#«*. WTS«t*»^ 

1f»*l^««lX*LTV^ii I SP»(?)x r > 
- * £ fctttf — * i I SP»^)Ixy^ 
/U-^/j^HIi addres s 1W«£3:« Lfc r t £ 

70 WiBi-2>3MH, aRispttts»«o^^-7x- 

i|5^LT^£<t!i I S P<Z>#— yu— ^I^LtiHl 
£ a d d r e s s tit S&SriifcrT S^W«r, 
fccvy'a if "7 ^ 0 
[fjf^le] 

fill I S P^F^co^— ^— yu— g I SPirt^- 

^— yW— *j&>&|SMt& addres s «f«*Sfl 
irSrfltB-rs^NS. fill I S P$ll^<DiJ— /^i/y^Hi 

— Z&kTftf— yu— ^iC^tLT, f£P4til:<t a d d r 
e s s««Srai8Di-5#8k*r. Mft Z^ZtctiXD-?'* ? 
y^o 

If 4 bfi^ 1 ! 6 <^i/^i*^*^c|S*feo >^n if y J* It 
[0 0 0 1] 

*38Wttx ISP (Internet Service 
Provider) j|fijCj3tt6DD o S (D e f e a 
ting Denial of Service) 

[0 0 0 2] 

t^5fe(7)D oS (Denial of Service) 
LTf2, 2 0 0 1 ^m^-tf ttiiiB * 
B- 7- 1 4 0|fi9ffltft— , FDo S 



50 



^0 



-2- 



(3) 



2004-16 6029 



[0 0 0 3] 

T KU^PI^l-ttLTf*. IDS (Intru 
si on Detection System) ld<fc<5 

[0 0 0 4] 

3fl^ DD oS (Distributed DoS) d** 

=K*W*ffi"C»i, TCP-SYN Flood^I^ 

£rUX^-T5 1 S Prt©iy^/^^^%5>* > -* 
X\ ^TCP-SYN/^^/ h^7-f/^ y 

^/j!«Mt)^-C7>f^ y ^tltU9 
C-T% TCP-SYN-F lood^il TCP (T 



[0 0 0 6] 

2001 ^SrF-wwififs #£t&&*3 



B-7-1 



Pro* 



col) /^y h(07'< — KWSYNWfiClfy h 
5o 

[0 0 0 5] 

y h 7 - ^ ^C/)^x 7 ^ t' h 7 t y ^t**BSr(X 

ITi^- h7 t y U DDo 

f c> ^ y M7-^ i/^</u-CSalS:tT5»&t?t), I SP 
iiLTiSfLALT< 6 TCP-SYN Floo dlC*j"L 



[0 0 0 7] 

o^r, AWAsav^at*?), ^etco-y— tracts 

[0 0 0 8] 

20 IBSrdb I S PlcfcttSBU (iU I SP^blAfS*^ 
t* * l«felft»;fr 8=*s J: t* > * ^ ^ > ftb^W^o^ 

[0 0 0 9] 

iw — * coflo A#«J<^ieM*, fill I S P — wSE«fe#-r i/bkt£ 
3 /J^ — ^ — A* — ^ £>fiii I S P— (OHU6*:iS«i"S„ 

b^TCP-SYN(/)t^h7t ^^^^M^rlx^U 
T*5^, ^^^^tT9 0 sp*W<0*Dfatt, »-±<0^-C*> 

[0010] 

^ 'J V^^^TV^ N IS]— I S PrtO±APA#HX^^ 5/^*3 

— ^ti. ^!^r4 (*3£TJ\ ^PA^IX^^^^-^"^^ 

») ^r^(-> ^^7^/^yy^rilWx £Sx.T 
^;^wi:ov^ii7^^ y >^^1t9 0 #0A#i&^ 

sq^^/U— ^r-Ctt, y V^pI^^^DA^K'J^^ 

u^-V(7)-<>^ — y ^{cir. -< 7x- ^tciix 

50 [0011] 
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5 

I S Pcoztf— /u— '<o>T Ku^^Jzt^lSgfii 

Srii£a-r5o ii*n£§:ttfc<t!l I s Ptli ittSHifca&S 

v^yi — *<DGLS.ttrth u _biss i sp tmtt&m&n 

[0 0 12] 

J; 9 D D o S*»#JBfc*B bfc*»W©*Df3a«c:ov>Tltt 

(17(1, 4469l0)ttlfiB (DDoS^MI) 

i I S P37*y h 17 — ^ 6iC*3VST, M<D&ft\ZiiLm. 

6o 

9, 10, 1111 IDC (Internet Dat 
a Center) \HX e =3-^ — ^, ^ISif <C 

^ SrfT5iK- ^'>^"Ck9 . 12, 13, Hligl 
S PldflDAi-fc^— if^**^*)*. 15-1711 x 
* lt-*3tt^^— '*9—l lMnJ — 7^ 
18-19lix r ^^2W^a-fK 
12-14«JWy^-7x-^ % 2 0 — 2 1H 

/U— ^ 3 l£*5tt5fi!l I S P<Dtf—?—/l'—9M<0'( 
y^-7x-^, 2 2 — 2 3(1 WmilSPW 
4 StC&tf-^g I SP^- J^— $\% 

[0 0 13] 

18(1 IP^7^<tr/TCP^^^7^^ 

TCP-SYN/^^Ml dJ8(C^-T J; 3 Pro 
t o c o 1 liTCPW\ flags -SYNWtl 

mi^7F^7K'^6o ttt, IPhead 
er, TCP header. *5,fctfD a t a (^HIIlC^ 

<f £4x5 0 TCP header ftcO f 1 a g s 7 <i — 

;UK6tTyh (t'y - 14) H URG. ACK. 
PSH, RST, SYN, FIN(06i<7)lfy hT'« 

[00 14] 

±I^^^-«*CSAL, ftSffl^77h|>x7S: 
»«W*tr*^<0«»^W«*+3. i7t'll iiA^H 
fca-— 1f**£rl 2*5j:tM 3, iiA^n^^o/c^x- 
1f«l*4rl 4 ^-t«12, 13co£ 
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[0015] 

#*#H IfiS* (HI 05 12, 13) 

-?fl:*IOT C P - S Y N/^ v V £i£{f -T 5 £ 9 ^ 
^ (7) ^ ^ , TC P-SYN/^i/ h<7) s o u r 
ce address (^ItcT K^^) ICtl^ 

J; 0 0)*1<OT CP- S YN/^ y h 
«ltllofct^9ll tiiWlofo^y h 
/0 ^JC=3^^ ><0*Q;3llfcH£5o wOtoSLS:* 3 way 
— hand — snaked P£ -£ 0 
[0 0 16] 

HI 9 fl IE^& 3way-hand-shake <7»— 

3wa y — hand— s ha k e H "t^fts* 1 2 , 

13/j^t-^9^ TCP-SYN^yh (3 1) 
^iMf^o TCP-SYN/^yh (3 1) flS-fr— 
9lzmtt£frZ>t, rttSrSHf L*:*- 9 h 
CO s o u r c e 
20 address SICTCP-ACK+ SYN/^y h 

(32) &isi£i-s„ 

source a d d r e s s CEL^I (12, 13 
(7) IP address) £SRj££:h/Cl\h,tl iaf£^ 
>>ry htt^L— 1f**l 2, 1 3lc7cif «9*#. 
y hfrSttRofca-— 1F»*1 2, TCP 
-ACK/^>;F (3 3) SrlJ— 9 U 
•CTCP^^^i/aWjSiita (3 4) 0 
[0017] 

Lt^U iS/Vt'l 2, 13 11 t^9CTCP- 
30 SYN/^7 h^riH^-r^l^t-. source add 

r e s siz7^?M§.&wi7£^x mtt-rztc.fr. 

9 11 ^7^1^ IP address —TCP 
-ACK+SYN/^7 h^Mt^t^;, SOSES' 
hMV^tT^, 1 3 iztc.¥*> \ 
[0018] 

HI 0H /y^l2, 13/^tw^9CTCP-SY 

/yt'l 2, 1 3 ^bTCP-S YN^y h (4 1) 
40 9 IdSHf "T /7t'i2, 1 3T-H s 

ource address IC 7 V^Al^SS ^tlX 
mtt£tlZ><»X\ t-/<9WrCP-ACK+SYN 
s<tr y V (4 2) £iga2H-*»£\ 3.-^**12, 1 

**1 2, 1 3i:[iTCP-ACK+SYN/^7 h 

(4 2) HS^4V\ -t^tt*, if-/<9(Ct> TCP 
-ACK^-;F (4 3) ttS*»*V^4:Jcnc«>o t£o 
9 H ^^A7^ht5*-CTCP-ACK 
^/r^h (4 3) <Of**>tt»fcft&. tot, 
50 ^t^J: «9 SSS^fi^T C P-ACIW7 h^iH^n^) 
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«9. y y-**J£#iflc:J; 9 <tffeff.it LTL£ 
[0 0 19] 

(HKW 

^u-^(c^ott6^-<^^ y >^(?)/u— /ul££il]®c?)tfij 

H13(7)J: ?tc*T9o * 1 lis — 7 zn — 

7sl5 ICTi^— 9(7) I P address£rdest 
inationaddress^(53, 54), PR 
OTOCOLtTCPI: (5 5) CONTROL FL 
AGS^SYSIC (5 6) ; — fcOBMtSrKtt. RBffi£r 

[0 0 2 0] 

fc y^H*r»3feU"C*5< (57), rem W60 
Kb p s*s^ssttrv^5o 

IP address W;^L-C^< (58) „ I 

/U— ?(7)IP address^lT^<o - - "C 
f±. 111. 11. 22. 3£ 22. 22. 33. 4fc 

-ij— ,<9<OI P a dd r e s s W«£8sf<t LTiifcPS: 
[0 0 2 1 ] 

HI 4, H5fi, 3i ^/ vvu— ^ 2&J:U { tf— fr— * 3 

([11(7)2, 3) te, >{y^-7x-^18 
-21 [C^^X&tt&iltz IP address ^DE 
ST I NAT I ON ADDRESS IC (63) . PR 
OTOCOL^TCPC (6 5) . CONTROL F 
LAGS^rSYNC (6 6) . BMKSrKtt (6 7) . m 

fc LTte. ^f^CTLT7^/u^ y ^pT«ft, 
(1, VIRTUAL ROUTER^Milt^ 
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5 

6 (micoi8) 0 minm&izn^ 

(Ct. iI*PL/«£^ (6 8) C ^(Ct^^^^Tl^o * 
4b\ HiCtLTIi, ii*PBHtt/ 1 0 0 oa*K3££*L-t^ 

<s 0 

[0 0 2 2] 

18 — 21 iCiJol^Tigtt^frfc IP addresser 
DESTINATION ADDRESSl: (73) % 
PROTOCOL^TCPC (7 5) . CONTROL 
10 F LAGS^SYNIC (76) „ WiBSrKtt (7 

7) , RBttS:t-^t5»»tov^7 ^ /u^ P >^ 

7x- *t LTtt, ifC^tC^L-C^^/u^ y ^ 

i5m VIRTUAL ROUTERO^B']^ 

(m ic7)2o) „ Mffitc:o^-cf±, ^#>. iifcn 
$ thtzmm t m%-< > * — ? * \zmm ztiz a— if 

bfctmc*«:IBb-C*3< (7 7) 0 

20 [0 0 2 3] 

aK-^^vdssK— /is—?<Dm&\z\^ F7t y^a* 

BMI[*rjH^Lfc«-&w5i«aift I P ADDRESS 4rlS"t" 

(78) B il£n5fc IP ADD RE S SMtt. ^f£^ > 
— /U— ^ (Hll (7)4, 5) (DTK^^ELtfc 

7^— /u— vu~/K?)isidii-^oT, h7t-^ 
lci§*p£fr?o ii*0£r§:tt;fc^— Ar-* 4, 5 12, 

2, 2 3 ^ea i 1 s p 3 7 h 7-^ rti:t± 
eg 1 sp tmm<D&i i m&m*)M^a 

[0 0 2 4] 

H)6fi s fill I S P(7)tK— /U— ^(d*3tt^>7^ /u^ y 
^ i/ (7) ^ @J \E (7) m't EH T # ^> -5 □ 

(U6(7)^^®ffi^. filii:**S*ti, 
^JCTiS^-f -5/^— A-MT, SOURCE ADDRE 
S SH51^a$H/c: IP address ^rjlVV H1£ 

-< — 7x- ^ 1 8~2 1 (d*3V^-Ci^f\|-^ 
tbfc IP address D E S T 1 NAT I ON 
ADDRESSl: (83) . PROTOCOL&TCP 
\Z (8 5) , CONTROL FLAGS^SYNC 

(8 6) , RBMtia*p^^M<e m^mm ^l (8 
7) , m^^—^—r^u^z^^xy^j^^ u 

&ff9o BI6T*fc, VIRTUAL ROUTERS 
^^^i]<h LT^<5 (Hll 02 2) „ H6Wi^ il^P5fe 
IP ADDRESSlClt — — *<F>t£ 

50 ^(7X011 SP=7*y h!7 — ^<7)tK— 47*— yu—^ ([U 
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1(7)4, 5) COT KU-*£faUT*5< (88) a 
[0 0 2 5] 

AiTX5/«/^im HI 3 lc^-f/u— A-ta:5£lii® 

A2TMffi&i@;Lfc»'&ta*, * (ai-y^— ^ 

2 , tK— /U— * 3 ) KlU— ✓ < 9 <D I P addre 
s s tlWftSriiferrSo 

A 3Tiy^-^ 2Tti, HI 4, [H 5 tC^i-/U~/i-I5: 
jEKffilCj: 0 , D AtCU" — /< 9 CO a d d r e s s dSR£ 
StLfcTCP-SYN/^y h ^r-f >-? — 7^ — ^ 1 8 
~2 BMB«:«^fc^5A^4:E« 

i-a. 

-tf— /<9CO IP address <h M4S£rii*n-*-5« 
A5Yfl!iI S PtDtff— A— * 4, gi6M^ 

[0 0 2 6] 

stination address 9WIP 
address, p r o t o c o 1 WPTCP, F 
1 a g sO|pSYNt^5/^7 h<D b 7 t ^ * 

fy^l 03) 9 |p|— I S Prt«3#3iy i^/l — £MC|3B 
tt, f-/<90IP7K^«:i*Pt5 Uf^lO 

4) „ 

[0 0 2 7] 

-7i-^18~21t'Des t inat ion ad 
dress COftt^iJ**-^ 9CO I P address, p 
r o t o c o l COM/^T CP. flags SYN 

5) 0 

7^107) 0 -t LT S gxco,v?/U~ *<7)«ig&*l]SU 
L (^^108) . *PA#iR*^ y *T?*>*L 
tt\ MWU /u— *T**>ilx»i\ fill I SP 

tfE— ^-/U— # ^>^-7x-X20, 2 1^i 

7^109) „ 
[0 0 2 8] 

ftl:, ii 5li, SiSP^ 
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/0 

b!7 — 9 6tC-Y^^— 7x- ^ 1 5 -f^* — 
7x-^2 2, 2 3lCg#^x.T, 
0 8 *>*MS*r*l?-rs Ur^llO) „ 1-fcfc>%. 

^— A~ 4, 5J±, -f >-^ — 7x- * 2 2, 23 
T* Destination address /J S U 9 
(DIPaddress. protocol (D\&i£ T C 
P. F 1 a g s(?)|pSYNT'fe^7 F« h7t 7 

101) , h7 t y^dS(B«4rJBx.*:ftb« 
JO 10 2) . ®x.^ffi^tco#^^ hSr7^/u^ !J 

L Ur^l0 3) „ I^-ISPrtO*xy^u-^ 
*3<fcU<:#— /u— *fc:WMl* t-/<90IP7K^ 
£iI£ni-5 Uf77°i04) „ &*d. [Ejitcfi, fatt 
j&s«ll&£;h/C^5j&s. fill I SPa7*y YV — t 7, 8 
t > xl— tf »*^IRS 2 *U5 xc * 9 ?Mm £ tL 

rv>S„ £fc N a^yzfl 1 OTMi, fill I SP(D37* 

(D^tcd^— /w— ^te, El 6 tc^-T <t 5 
[0 0 2 9] 

fill I S POx r >- **5.fclMS— /u— *<E»T 
-7x — ^t'D esti nation address 
<7:>ffij& s U"— '< 9WI P address, protoc 
o 1 OfilE/^T C P „ f 1 a gsWPSYNtfcW 
.y b<D h7 t y ^^iifei^nfcHfiSSre^a^^^S 
)|L (7.T77'10 5) . F7t7^»l^it^ 
btf Ufy7°10 6) . ^Tc^^^o^r. /^^r^h 

30 ^<oa*S:*i]SiJL (xf 77 9 1 0 8) , ^0A#HX^^>y 
^ co i: # ttfelSrftT L , ^— ^— ^f)t^ 
tcti, fill I s prf—y— — ^tcMM. t-^9(0I P 
T KL^Sriiferrs (^T^y^l 0 9) „ 
[0 0 3 0] 

&*5. IE 2 W7PH^ioV^T, 777/101-104 
tig I S P aT*y hy-^wxy^^ 1 ^Htf-t" 
^7 P D^7^(^M6rt^T'#, ^fy/lOS 
-10 9{^i I S P^7^7 h7-^(/)x«y^-^ 2 
£> J: u^^— ? 3 ^utr-r ^< # ^7 A ic^m 

^0 777^110 U7-;7'10 1-l 

0 9) tefllil SPa7*y h7 — *<Otf—y—/i'—? 

So 

h 17 — ^ (7)m «y v^/U— ^ * fcfi?K— /u— ^ tC^i" 
50 [0 0 3 1] 
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// 

£L±.mWl>tc£ o Jd, XftWlzXthtt. DDoSOT: 
7t^^^^f5WT'fc6o DDoSWfirbix 

tTbtl^^o h 7 t y ^ 3&S»ff 

fc, M— I S P[H<D^>y ^U-^^ii*P««ttffi<'> 
[0 0 3 2] 

v//U— *2. /u— * 3T-2SBfT*ll1fi$nS^: 

tf\ *2, A-—* 3(7^T*H*^iX 

7 4)V$ ]) i/sf®m*^-y vvi— $ 2 , tf—^-yu— * 
3(Cjott5^H-^^ y ^^ftiaS:, SlSP37^yh 

* i t&ttm<D&4 is*-? ^—*mz.ftotz&, 

[0 0 3 3] 

y~ ; i — ^p^coii^D^rff 9 -^(ciJ: «9 x m\c& I s 
U isy&nom&k&^X, &tft9c<D{& I S P 7, 8T' 

nan **wo-*«i«sr*i"»*ai*-if^ieifti» 
[@2] 01 (d^*t5»«kM^— tr^ffitfel»ffl*ife^» 

[0 3 ] 01 tc^sitS^ y^-^ 1 O/u— 
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/2 

[0 4] 0 1 tCftltS^? * 2 <Z»u— yUsS^WS 

^J£t^-0T*&5 o 
[0 5] 0 1 (c&tfStf— /U— * 3<V;u— A-RJEi® 

[0 6] 0 1 tC&ttStf— tf— yU— * 4X<DA JVWl'SE 

Wm<nM*^-tmxtbZ> 0 
[07] DDoSSS»*Sr»S4v^yh7-^^ 

/0 [08] I PAy^ T CP^y ¥<D7 *—^r y Y&TF 
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